Technology permeates the operations of the entire institution and therefore defies compartmentalization. Technology enables the institution to develop, deliver, and manage its products and services. An effective IT risk management process should identify, measure, control, and monitor operations risk. The process begins with identifying risks in the institution's overall business strategy. Understanding the role technology plays in enabling core business operations establishes the framework for understanding and assessing risks. Accordingly, the risk identification process should begin with a comprehensive survey of the institution's technology environment and inventory its technology assets.
The survey and inventory of the technology environment and assets also involves assessing the relative importance of systems, databases, and applications based on their function, the criticality of data they support, and their importance to core business operations. The inventory clarifies the enterprise architecture and highlights the relationships between the institution's systems, networks, and external systems.